-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.6] Remove usages of an old versions of github.com/emicklei/go-restful #8168
Comments
Hello, as part of a university project and a first contribution to open source software, I would like to work on this issue |
Yes, you can cherry pick this |
Is this issue fixed? I can't find the old version in |
I just opened #8271 to solve this |
@mkevac Looks like this issue can be resolved? |
Seems like there are still traces of go-restful v3.7.3, which is also vulnerable to CVE-2022-1996 (need to use at least v3.8.0) |
Makes sense. #8221 up to resolve it! |
containerd is not affected. |
Yes sorry for the shortcut, I didn't mean to imply there is any actual risk in relation to this CVE. But scanning tools used for compliance (Prisma Cloud in my case) see a go-restful v3.7.3 inside containerd and don't like it. |
You should report a bug to your scanning tool vendor. The |
@samuelkarp - while I agree that contaienrd is not vulnerable, most security scanning tools will only go so deep and ask "what packages are being pulled in?" I would call this a transitive vulnerability since contaienrd does carry an older version of the software that happens to have a CVE in a block that is not currently getting called into. I would say it's not enough to dismiss this: what if a contributor someday does decide they need to use that function an accidentally introduce vulnerable code? What if a CI/CD workflow is kicked off that has a change which has the malicious piece of code? There are alot of (very unlikely) scenarios where carrying an old dependency is a bad idea. Regardless, on the main branch, old very versions of go-restful seem to still be present in the
|
There's ongoing discussion in #8412, so I'm only going to reply from a philosophical perspective rather than address this particular dependency.
Yes, and I would consider this to be a bug in the scanner. While a tool like
I think we'll have to disagree there. If the code is not getting invoked, no behavior of that code (features, bugs, or vulnerabilities) is reflected in the behavior of containerd.
Code review and maintenance is an ongoing activity of all the maintainers of this project. We do our best, but of course things can slip through. One idea that @tianon had on another project was to set up automation to run
For a stable branch of software, the focus tends to be more on reducing the overall churn in order to reduce the risk of regressions. In the absence of a relevant bug fix or security fix, the risk of introducing other, unnecessary change tends (to me) to outweigh the value of staying current. I do agree that it's generally worth updating dependencies on an actively-developed branch (like
The values in
|
closed by #8412 |
Description
There is a still usage on an old (and vulnerable) version of
github.com/emicklei/go-restful
inpkg/cri/streaming/server.go
Current version of
github.com/emicklei/go-restful
is v3Steps to reproduce the issue
No response
Describe the results you received and expected
I expected v3 version to be used.
What version of containerd are you using?
v1.6.18
Any other relevant information
No response
Show configuration if it is related to CRI plugin.
No response
The text was updated successfully, but these errors were encountered: